After you use the Security Console wizard to connect to the Cloud Authentication Service, Approve and Device Biometrics authentication on legacy authentication agents requires the user to enter a username and PIN.
The RSA SecurID Token PIN, the Approve PIN, and Device Biometrics PIN are the same for the initial Approve or Device Biometrics authentication. A user can change the PINs later and have an RSA SecurID Token PIN and a different PIN for Approve and Device Biometrics. Approve and Device Biometrics always use the same PIN. See Using PINs During the First Approve or Device Biometrics Authentication on RSA Link for information on PIN usage during the user's first authentication.
When a user forgets the PIN to use for Approve or Device Biometrics authentication, you can clear the PIN so the user can create a new PIN in the Self-Service Console, or the next time the user authenticates.
When you require a user to change a PIN for Approve and Device Biometrics, the user is prompted to create a new PIN after successfully authenticating with either method. The user can also change the PIN in the Self-Service Console
If the current PIN has been compromised, require the user to change the PIN. If a user has forgotten the PIN, clear the PIN so the user can set a new PIN.